|
|
8aada9 |
From e25e1e9228a6108d8e94f2e99f3004e6cbfc3349 Mon Sep 17 00:00:00 2001
|
|
|
8aada9 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
8aada9 |
Date: Tue, 12 May 2020 16:55:32 +0200
|
|
|
8aada9 |
Subject: [PATCH 19/19] ad: check forest root directly if not present on local
|
|
|
8aada9 |
DC
|
|
|
8aada9 |
MIME-Version: 1.0
|
|
|
8aada9 |
Content-Type: text/plain; charset=UTF-8
|
|
|
8aada9 |
Content-Transfer-Encoding: 8bit
|
|
|
8aada9 |
|
|
|
8aada9 |
If the information about the forest root domain cannot be read from the
|
|
|
8aada9 |
local domain-controller it is tried to read it from a DC of the forest
|
|
|
8aada9 |
root directly.
|
|
|
8aada9 |
|
|
|
8aada9 |
Resolves: https://github.com/SSSD/sssd/issues/5151
|
|
|
8aada9 |
|
|
|
8aada9 |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
8aada9 |
---
|
|
|
8aada9 |
src/providers/ad/ad_subdomains.c | 184 +++++++++++++++++++++++++++----
|
|
|
8aada9 |
1 file changed, 164 insertions(+), 20 deletions(-)
|
|
|
8aada9 |
|
|
|
8aada9 |
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
|
|
|
8aada9 |
index 299aa7391..7c6f51db7 100644
|
|
|
8aada9 |
--- a/src/providers/ad/ad_subdomains.c
|
|
|
8aada9 |
+++ b/src/providers/ad/ad_subdomains.c
|
|
|
8aada9 |
@@ -35,6 +35,10 @@
|
|
|
8aada9 |
#include <ndr.h>
|
|
|
8aada9 |
#include <ndr/ndr_nbt.h>
|
|
|
8aada9 |
|
|
|
8aada9 |
+/* Avoid that ldb_val is overwritten by data_blob.h */
|
|
|
8aada9 |
+#undef ldb_val
|
|
|
8aada9 |
+#include <ldb.h>
|
|
|
8aada9 |
+
|
|
|
8aada9 |
/* Attributes of AD trusted domains */
|
|
|
8aada9 |
#define AD_AT_FLATNAME "flatName"
|
|
|
8aada9 |
#define AD_AT_SID "securityIdentifier"
|
|
|
8aada9 |
@@ -1258,15 +1262,37 @@ ads_get_dom_id_ctx(struct be_ctx *be_ctx,
|
|
|
8aada9 |
|
|
|
8aada9 |
struct ad_get_root_domain_state {
|
|
|
8aada9 |
struct ad_subdomains_ctx *sd_ctx;
|
|
|
8aada9 |
+ struct tevent_context *ev;
|
|
|
8aada9 |
struct be_ctx *be_ctx;
|
|
|
8aada9 |
struct sdap_idmap_ctx *idmap_ctx;
|
|
|
8aada9 |
struct sdap_options *opts;
|
|
|
8aada9 |
+ const char *domain;
|
|
|
8aada9 |
+ const char *forest;
|
|
|
8aada9 |
|
|
|
8aada9 |
+ struct sysdb_attrs **reply;
|
|
|
8aada9 |
+ size_t reply_count;
|
|
|
8aada9 |
struct ad_id_ctx *root_id_ctx;
|
|
|
8aada9 |
struct sysdb_attrs *root_domain_attrs;
|
|
|
8aada9 |
};
|
|
|
8aada9 |
|
|
|
8aada9 |
static void ad_get_root_domain_done(struct tevent_req *subreq);
|
|
|
8aada9 |
+static void ad_check_root_domain_done(struct tevent_req *subreq);
|
|
|
8aada9 |
+static errno_t
|
|
|
8aada9 |
+ad_get_root_domain_refresh(struct ad_get_root_domain_state *state);
|
|
|
8aada9 |
+
|
|
|
8aada9 |
+struct tevent_req *
|
|
|
8aada9 |
+ad_check_domain_send(TALLOC_CTX *mem_ctx,
|
|
|
8aada9 |
+ struct tevent_context *ev,
|
|
|
8aada9 |
+ struct be_ctx *be_ctx,
|
|
|
8aada9 |
+ struct ad_id_ctx *ad_id_ctx,
|
|
|
8aada9 |
+ const char *dom_name,
|
|
|
8aada9 |
+ const char *parent_dom_name);
|
|
|
8aada9 |
+errno_t ad_check_domain_recv(TALLOC_CTX *mem_ctx,
|
|
|
8aada9 |
+ struct tevent_req *req,
|
|
|
8aada9 |
+ char **_flat,
|
|
|
8aada9 |
+ char **_id,
|
|
|
8aada9 |
+ char **_site,
|
|
|
8aada9 |
+ char **_forest);
|
|
|
8aada9 |
|
|
|
8aada9 |
static struct tevent_req *
|
|
|
8aada9 |
ad_get_root_domain_send(TALLOC_CTX *mem_ctx,
|
|
|
8aada9 |
@@ -1305,6 +1331,9 @@ ad_get_root_domain_send(TALLOC_CTX *mem_ctx,
|
|
|
8aada9 |
state->opts = opts = sd_ctx->sdap_id_ctx->opts;
|
|
|
8aada9 |
state->be_ctx = sd_ctx->be_ctx;
|
|
|
8aada9 |
state->idmap_ctx = opts->idmap_ctx;
|
|
|
8aada9 |
+ state->ev = ev;
|
|
|
8aada9 |
+ state->domain = domain;
|
|
|
8aada9 |
+ state->forest = forest;
|
|
|
8aada9 |
|
|
|
8aada9 |
filter = talloc_asprintf(state, FOREST_ROOT_FILTER_FMT, forest);
|
|
|
8aada9 |
if (filter == NULL) {
|
|
|
8aada9 |
@@ -1340,17 +1369,14 @@ static void ad_get_root_domain_done(struct tevent_req *subreq)
|
|
|
8aada9 |
{
|
|
|
8aada9 |
struct tevent_req *req;
|
|
|
8aada9 |
struct ad_get_root_domain_state *state;
|
|
|
8aada9 |
- struct sysdb_attrs **reply;
|
|
|
8aada9 |
- struct sss_domain_info *root_domain;
|
|
|
8aada9 |
- size_t reply_count;
|
|
|
8aada9 |
- bool has_changes;
|
|
|
8aada9 |
errno_t ret;
|
|
|
8aada9 |
|
|
|
8aada9 |
req = tevent_req_callback_data(subreq, struct tevent_req);
|
|
|
8aada9 |
state = tevent_req_data(req, struct ad_get_root_domain_state);
|
|
|
8aada9 |
|
|
|
8aada9 |
- ret = sdap_search_bases_return_first_recv(subreq, state, &reply_count,
|
|
|
8aada9 |
- &reply);
|
|
|
8aada9 |
+ ret = sdap_search_bases_return_first_recv(subreq, state,
|
|
|
8aada9 |
+ &state->reply_count,
|
|
|
8aada9 |
+ &state->reply);
|
|
|
8aada9 |
talloc_zfree(subreq);
|
|
|
8aada9 |
if (ret != EOK) {
|
|
|
8aada9 |
DEBUG(SSSDBG_OP_FAILURE, "Unable to lookup forest root information "
|
|
|
8aada9 |
@@ -1358,19 +1384,142 @@ static void ad_get_root_domain_done(struct tevent_req *subreq)
|
|
|
8aada9 |
goto done;
|
|
|
8aada9 |
}
|
|
|
8aada9 |
|
|
|
8aada9 |
- if (reply_count == 0) {
|
|
|
8aada9 |
- DEBUG(SSSDBG_OP_FAILURE, "No information provided for root domain\n");
|
|
|
8aada9 |
- ret = ENOENT;
|
|
|
8aada9 |
- goto done;
|
|
|
8aada9 |
- } else if (reply_count > 1) {
|
|
|
8aada9 |
+ if (state->reply_count == 0) {
|
|
|
8aada9 |
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
|
8aada9 |
+ "No information provided for root domain, trying directly.\n");
|
|
|
8aada9 |
+ subreq = ad_check_domain_send(state, state->ev, state->be_ctx,
|
|
|
8aada9 |
+ state->sd_ctx->ad_id_ctx, state->forest,
|
|
|
8aada9 |
+ state->domain);
|
|
|
8aada9 |
+ if (subreq == NULL) {
|
|
|
8aada9 |
+ DEBUG(SSSDBG_OP_FAILURE, "ad_check_domain_send() failed.\n");
|
|
|
8aada9 |
+ ret = ENOMEM;
|
|
|
8aada9 |
+ goto done;
|
|
|
8aada9 |
+ }
|
|
|
8aada9 |
+ tevent_req_set_callback(subreq, ad_check_root_domain_done, req);
|
|
|
8aada9 |
+ return;
|
|
|
8aada9 |
+ } else if (state->reply_count > 1) {
|
|
|
8aada9 |
DEBUG(SSSDBG_CRIT_FAILURE, "Multiple results for root domain search, "
|
|
|
8aada9 |
"domain list might be incomplete!\n");
|
|
|
8aada9 |
ret = ERR_MALFORMED_ENTRY;
|
|
|
8aada9 |
goto done;
|
|
|
8aada9 |
}
|
|
|
8aada9 |
|
|
|
8aada9 |
+ ret = ad_get_root_domain_refresh(state);
|
|
|
8aada9 |
+ if (ret != EOK) {
|
|
|
8aada9 |
+ DEBUG(SSSDBG_OP_FAILURE, "ad_get_root_domain_refresh() failed.\n");
|
|
|
8aada9 |
+ }
|
|
|
8aada9 |
+
|
|
|
8aada9 |
+done:
|
|
|
8aada9 |
+ if (ret != EOK) {
|
|
|
8aada9 |
+ tevent_req_error(req, ret);
|
|
|
8aada9 |
+ return;
|
|
|
8aada9 |
+ }
|
|
|
8aada9 |
+
|
|
|
8aada9 |
+ tevent_req_done(req);
|
|
|
8aada9 |
+}
|
|
|
8aada9 |
+
|
|
|
8aada9 |
+static void ad_check_root_domain_done(struct tevent_req *subreq)
|
|
|
8aada9 |
+{
|
|
|
8aada9 |
+ struct tevent_req *req;
|
|
|
8aada9 |
+ struct ad_get_root_domain_state *state;
|
|
|
8aada9 |
+ errno_t ret;
|
|
|
8aada9 |
+ char *flat = NULL;
|
|
|
8aada9 |
+ char *id = NULL;
|
|
|
8aada9 |
+ enum idmap_error_code err;
|
|
|
8aada9 |
+ struct ldb_val id_val;
|
|
|
8aada9 |
+
|
|
|
8aada9 |
+ req = tevent_req_callback_data(subreq, struct tevent_req);
|
|
|
8aada9 |
+ state = tevent_req_data(req, struct ad_get_root_domain_state);
|
|
|
8aada9 |
+
|
|
|
8aada9 |
+ ret = ad_check_domain_recv(state, subreq, &flat, &id, NULL, NULL);
|
|
|
8aada9 |
+ talloc_zfree(subreq);
|
|
|
8aada9 |
+ if (ret != EOK) {
|
|
|
8aada9 |
+ DEBUG(SSSDBG_OP_FAILURE, "Unable to check forest root information "
|
|
|
8aada9 |
+ "[%d]: %s\n", ret, sss_strerror(ret));
|
|
|
8aada9 |
+ goto done;
|
|
|
8aada9 |
+ }
|
|
|
8aada9 |
+
|
|
|
8aada9 |
+ if (flat == NULL) {
|
|
|
8aada9 |
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
8aada9 |
+ "NetBIOS name of forest root not available.\n");
|
|
|
8aada9 |
+ ret = EINVAL;
|
|
|
8aada9 |
+ goto done;
|
|
|
8aada9 |
+ }
|
|
|
8aada9 |
+
|
|
|
8aada9 |
+ if (id == NULL) {
|
|
|
8aada9 |
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
8aada9 |
+ "Domain SID of forest root not available.\n");
|
|
|
8aada9 |
+ ret = EINVAL;
|
|
|
8aada9 |
+ goto done;
|
|
|
8aada9 |
+ }
|
|
|
8aada9 |
+
|
|
|
8aada9 |
+ state->reply = talloc_array(state, struct sysdb_attrs *, 1);
|
|
|
8aada9 |
+ if (state->reply == NULL) {
|
|
|
8aada9 |
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_array() failed.\n");
|
|
|
8aada9 |
+ ret = ENOMEM;
|
|
|
8aada9 |
+ goto done;
|
|
|
8aada9 |
+ }
|
|
|
8aada9 |
+
|
|
|
8aada9 |
+ state->reply[0] = sysdb_new_attrs(state->reply);
|
|
|
8aada9 |
+ if (state->reply[0] == NULL) {
|
|
|
8aada9 |
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_new_attrs() failed.\n");
|
|
|
8aada9 |
+ ret = ENOMEM;
|
|
|
8aada9 |
+ goto done;
|
|
|
8aada9 |
+ }
|
|
|
8aada9 |
+
|
|
|
8aada9 |
+ ret = sysdb_attrs_add_string(state->reply[0], AD_AT_FLATNAME, flat);
|
|
|
8aada9 |
+ if (ret != EOK) {
|
|
|
8aada9 |
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string() failed.\n");
|
|
|
8aada9 |
+ goto done;
|
|
|
8aada9 |
+ }
|
|
|
8aada9 |
+
|
|
|
8aada9 |
+ ret = sysdb_attrs_add_string(state->reply[0], AD_AT_TRUST_PARTNER,
|
|
|
8aada9 |
+ state->forest);
|
|
|
8aada9 |
+ if (ret != EOK) {
|
|
|
8aada9 |
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string() failed.\n");
|
|
|
8aada9 |
+ goto done;
|
|
|
8aada9 |
+ }
|
|
|
8aada9 |
+
|
|
|
8aada9 |
+ err = sss_idmap_sid_to_bin_sid(state->idmap_ctx->map, id,
|
|
|
8aada9 |
+ &id_val.data, &id_val.length);
|
|
|
8aada9 |
+ if (err != IDMAP_SUCCESS) {
|
|
|
8aada9 |
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
|
8aada9 |
+ "Could not convert SID: [%s].\n", idmap_error_string(err));
|
|
|
8aada9 |
+ ret = EFAULT;
|
|
|
8aada9 |
+ goto done;
|
|
|
8aada9 |
+ }
|
|
|
8aada9 |
+
|
|
|
8aada9 |
+ ret = sysdb_attrs_add_val(state->reply[0], AD_AT_SID, &id_val);
|
|
|
8aada9 |
+ if (ret != EOK) {
|
|
|
8aada9 |
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string() failed.\n");
|
|
|
8aada9 |
+ goto done;
|
|
|
8aada9 |
+ }
|
|
|
8aada9 |
+
|
|
|
8aada9 |
+ state->reply_count = 1;
|
|
|
8aada9 |
+
|
|
|
8aada9 |
+ ret = ad_get_root_domain_refresh(state);
|
|
|
8aada9 |
+ if (ret != EOK) {
|
|
|
8aada9 |
+ DEBUG(SSSDBG_OP_FAILURE, "ad_get_root_domain_refresh() failed.\n");
|
|
|
8aada9 |
+ }
|
|
|
8aada9 |
+
|
|
|
8aada9 |
+done:
|
|
|
8aada9 |
+ if (ret != EOK) {
|
|
|
8aada9 |
+ tevent_req_error(req, ret);
|
|
|
8aada9 |
+ return;
|
|
|
8aada9 |
+ }
|
|
|
8aada9 |
+
|
|
|
8aada9 |
+ tevent_req_done(req);
|
|
|
8aada9 |
+}
|
|
|
8aada9 |
+
|
|
|
8aada9 |
+static errno_t
|
|
|
8aada9 |
+ad_get_root_domain_refresh(struct ad_get_root_domain_state *state)
|
|
|
8aada9 |
+{
|
|
|
8aada9 |
+ struct sss_domain_info *root_domain;
|
|
|
8aada9 |
+ bool has_changes;
|
|
|
8aada9 |
+ errno_t ret;
|
|
|
8aada9 |
+
|
|
|
8aada9 |
ret = ad_subdomains_refresh(state->be_ctx, state->idmap_ctx, state->opts,
|
|
|
8aada9 |
- reply, reply_count, true,
|
|
|
8aada9 |
+ state->reply, state->reply_count, true,
|
|
|
8aada9 |
&state->sd_ctx->last_refreshed,
|
|
|
8aada9 |
&has_changes);
|
|
|
8aada9 |
if (ret != EOK) {
|
|
|
8aada9 |
@@ -1387,8 +1536,8 @@ static void ad_get_root_domain_done(struct tevent_req *subreq)
|
|
|
8aada9 |
}
|
|
|
8aada9 |
}
|
|
|
8aada9 |
|
|
|
8aada9 |
- state->root_domain_attrs = reply[0];
|
|
|
8aada9 |
- root_domain = ads_get_root_domain(state->be_ctx, reply[0]);
|
|
|
8aada9 |
+ state->root_domain_attrs = state->reply[0];
|
|
|
8aada9 |
+ root_domain = ads_get_root_domain(state->be_ctx, state->reply[0]);
|
|
|
8aada9 |
if (root_domain == NULL) {
|
|
|
8aada9 |
DEBUG(SSSDBG_OP_FAILURE, "Could not find the root domain\n");
|
|
|
8aada9 |
ret = EFAULT;
|
|
|
8aada9 |
@@ -1407,12 +1556,7 @@ static void ad_get_root_domain_done(struct tevent_req *subreq)
|
|
|
8aada9 |
ret = EOK;
|
|
|
8aada9 |
|
|
|
8aada9 |
done:
|
|
|
8aada9 |
- if (ret != EOK) {
|
|
|
8aada9 |
- tevent_req_error(req, ret);
|
|
|
8aada9 |
- return;
|
|
|
8aada9 |
- }
|
|
|
8aada9 |
-
|
|
|
8aada9 |
- tevent_req_done(req);
|
|
|
8aada9 |
+ return ret;
|
|
|
8aada9 |
}
|
|
|
8aada9 |
|
|
|
8aada9 |
static errno_t ad_get_root_domain_recv(TALLOC_CTX *mem_ctx,
|
|
|
8aada9 |
--
|
|
|
8aada9 |
2.21.3
|
|
|
8aada9 |
|